DATABASE DECEPTION IN DIRECTORY SERVICES
First Claim
1. A method for detecting unauthorized access of a network environment, the method comprising:
- instantiating, by a security computer system, at least one first network service and executing the at least one first network service on the security computer system;
transmitting, by the security system, at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server;
storing, by the central server, the one or more first credentials in a repository storing second credentials effective to authorize access to the plurality of second network services;
authenticating, by the central server, a first user;
determining, by the centrals server, that one of the second credentials authorizes the first user to access one of the second network services;
in response to determining that the one of the second credentials authorizes the first user to access the one of the second network services, instructing the one of the second network services to allow access by the first user;
authorizing, by the centrals server, a second user to access the at least one first network service using the at least one first credential;
in response to accessing of the at least one first network service by the second user, performing, by the security computer system
permitting access to the at least one first network service;
outputting an alert indicating that unauthorized access of the central server has occurred.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. In response to an attacker accessing the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert.
-
Citations
20 Claims
-
1. A method for detecting unauthorized access of a network environment, the method comprising:
-
instantiating, by a security computer system, at least one first network service and executing the at least one first network service on the security computer system; transmitting, by the security system, at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server; storing, by the central server, the one or more first credentials in a repository storing second credentials effective to authorize access to the plurality of second network services; authenticating, by the central server, a first user; determining, by the centrals server, that one of the second credentials authorizes the first user to access one of the second network services; in response to determining that the one of the second credentials authorizes the first user to access the one of the second network services, instructing the one of the second network services to allow access by the first user; authorizing, by the centrals server, a second user to access the at least one first network service using the at least one first credential; in response to accessing of the at least one first network service by the second user, performing, by the security computer system permitting access to the at least one first network service; outputting an alert indicating that unauthorized access of the central server has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting unauthorized access of a network environment, the system comprising:
a security computer system including one or more first processing devices and one or more first memory devices coupled to the one or more first processing devices, the one or more first memory devices storing executable code effective to cause the one or more processing devices to; instantiate at least one first network service and executing the at least one first network service; transmit at least one first credential effective to authorize use of the first network service to a central server implementing an active directory service for a plurality of second network services implemented by one or more network servers in data communication with central server; authorize access by a first user in response to receiving an authentication communication from the central server referencing the at least one first credential; in response to the communication from the central server referencing the at least one first credential— permit access by the first user to the at least one first network service; output an alert indicating that unauthorized access of the central server has occurred. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
Specification